Upload
oscar-gardner
View
217
Download
0
Embed Size (px)
Citation preview
E-Privacy and Cookies:Legal Aspects
E-Privacy Directive
2002/58, amended by 136/2009
Main amendments focus on DBN (security) and confidentiality of communications / unsolicited communications (5.3 and 13)
Emphasis on user empowerment, choice
E-Privacy directive: Transposition
• Patchy transposition (all MS: January 13)• “Cookie rule” (5.3) major point of discussion
(confidentiality of communications)• National divergences 1) on interpretation of
“consent” for the purposes of 5.3 (not only) AND 2) on the (technical) implementation of “consent”
Cookies
“A short alphanumeric text which is stored (and later retrieved) on the data subject’s terminal equipment by a network provider” (WP29’s Opinion 2/2010 on Online Behavioural Advertising)
Cookies may or may not contain personal information (IP Address, …)
This is irrelevant for the purpose of applying Article 5.3, which only refers to storage or retrieval of “INFORMATION” in the terminal equipment of a subscriber or user
Cookies – 2002/58 + 95/46
• However, if the information contained in a cookie includes personal data, than all the principles of directive 95/46 are also applicable
• So there is an interplay between the “consent” rule of 5.3 in directive 2002/58 (lex specialis) and directive 95/46 (lex generalis): that is to say, the rules on consent are those set out in directive 95/46 except where they are overridden by the “lex specialis” contained in directive 2002/58 (here: Article 5.3)
Cookies and Consent
Article 5.3 requires that storage of or access to any “information” (including cookies) in the subscriber’s/user’s terminal equipment be subject to prior informed consent (= before cookies are set)– “Prior”: “has given… consent, having been
provided… (see also Recital 66) – “informed”: “… with clear and comprehensive
information”
What Consent?
Article 5.3 of 2002/58 (lex specialis) sets out the specific requirements of prior informed consent for cookies
BUT this “consent” is in no way different from the “consent” of directive 95/46 (article 2.h + Article 7) see also Article 2 of 2002/58– Specific (and informed)– Freely given– Unambiguously given
Consent: Specific
Consequences 5.3: No blanket consent Purpose specification and limitation Appropriate information
WHERE: On the landing page of the website WHAT: Purposes of processing ; Right to accept/decline all or part of the
cookies HOW: Layered approach (WP100) (different levels of detail)
Consent: Freely Given
Consequences 5.3: Real options must be available (e.g.: accept/decline all or part
of the cookies / change browser settings) No conditions to be placed on consent (WP185: Opinion
15/2011 on the definition of consent) Continue browsing website even after declining cookies
Consent: Unambiguously Given
Consequences 5.3: Active behaviour: silence/inactivity is no consent Evidence of consent must be available (to the controller)
Simple scrolling of the webpage is not enough Click on a field, push a button, tick a box, or go to a third-party site where
options can be exercised (trusted third party?)
NOTE: Proposed DP Regulation refers to consent as signified by «clear affirmative action» No passive acceptance
Consent: Additional Food for Thought
Recital 66 of directive 136/2009: If «technically possible and effective» consent to
processing may be expressed by way of browser settings or other applications BUT «in accordance with directive 95/46» What does that mean exactly?
Interesting options, technical difficulties (browsers are not info society service providers) interoperability, technical parameters
«privacy plug-ins» ?
Consent: Additional Food for Thought
- Proposed EU DP Regulation (COM/2012/11) Art. 4: “explicit” consent (rather than “unambiguous” consent)
- WP29’s Opinions (in addition to “Consent” opinion):
- Online Behavioural Advertising (WP171 of 2010)- Cookie Consent Exemptions (WP194 of 2012)
When Prior Consent Is Not the Rule
- WP29’s Opinion on Cookie Consent Exemptions- Focuses on second part of 5.3: No prior informed
consent is necessary - A) For the sole purpose of carrying out transmission of a
communication over an electronic communication network- B) If storage or access is strictly necessary for provision of a
service by the provider of an information society service and such service has been explicitly requested by the subscriber or user
When Prior Consent Is Not the Rule
Hence, in many cases consent is unnecessary (technical conveyance of communications, provision of
services like online shopping cart, authentication, multimedia player sessions, user interface customization,…) BUT for the duration of a session (no permanent tracking) and if cookie is strictly necessary (in the user’s perspective)
Recital 25 of e-privacy: No need to obtain consent for each reading of the cookie – providing users/subscribers are aware that such reading takes place (= once-only informed consent)
The Grey Zone
Do-not-track: discussion in progress (W3C), should mean do-not-collect (in permanence); interoperability issues, standards, …
First-party analytics cookies (audience measuring tools) Not necessary for either technical or service provision services, but
likely to cause no privacy risks (if first-party aggregated statistical purposes, adequate information, opt-out offered)
Rule of thumb? First party, session-specific cookies less likely to require consent than third-party, permanent cookies (see WP’s document on cookie consent exemption)
Fortune Cookies
- http://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/2146935 (Guidance on cookies and consent, in English)
- WP29’s Website (http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm) (Opinions and Recommendations of EU DPAs, also on cookies)
- http://www.w3.org/2011/tracking-protection/ (Do-not-track standards from W3C)
THANK YOU
- For listening- For your attention- For not asking too many difficult questions….